Skip to content

ci(publish): adopt npm staged publishing on v0.x#10936

Merged
jasonsaayman merged 2 commits into
axios:v0.xfrom
shaanmajid:feat/staged-publish-v0x
May 24, 2026
Merged

ci(publish): adopt npm staged publishing on v0.x#10936
jasonsaayman merged 2 commits into
axios:v0.xfrom
shaanmajid:feat/staged-publish-v0x

Conversation

@shaanmajid

@shaanmajid shaanmajid commented May 23, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Adopts staged publishing for v0.x releases. See #10926 and #10935 for reference.

NOTE: This (along with #10926) depends on a one-time, owner-only change to axios' npm Trusted Publisher settings. The publisher predates npm's staged-publishing rollout, so its Allowed actions currently permits only npm publish; until npm stage publish is enabled there, OIDC publishes will fail with an HTTP 403 error. (Since Trusted Publishing is configured on a project/repository level, not on a branch level, enabling it once covers both branches; if it was enabled with #10926 then this should already be covered :D. See https://docs.npmjs.com/trusted-publishers#for-github-actions for more info.

Once both the v0.x and v1.x release workflows are on npm stage publish, I'd also recommend unselecting npm publish from the "Allowed actions" to make staging mandatory for all OIDC publishes.

Summary by cubic

Switches the v0.x release workflow to npm stage publish so each release is staged and must be approved before going live. Pins npm to 11.15.0 in CI until Node ships a compatible version.

Description

  • Summary of changes
    • Replace npm publish with npm stage publish --provenance --access public --tag v0x.
    • Add CI step to install npm@11.15.0 (minimum for staged publishing).
  • Reasoning
    • Requires maintainer approval (2FA proof-of-presence) for OIDC publishes.
    • Aligns v0.x with the staged model used on v1.x.
  • Additional context
    • Update npm Trusted Publisher "Allowed actions" to permit npm stage publish or publishes will 403.
    • After both branches use staging, consider disabling npm publish to make staging mandatory.

Docs

  • Update /docs/ with the v0.x release flow:
    • How to approve staged releases in the npm UI.
    • Note the temporary npm@11.15.0 pin and removal criteria.
    • Trusted Publisher settings required for staged publishing.

Testing

  • No product tests needed; this is a CI workflow change.
  • First release run will validate flow; will fail with 403 until Trusted Publisher allows staged publishing.

Semantic version impact

  • None (tooling-only). If classified, treat as patch.

Written for commit e966fc9. Summary will update on new commits. Review in cubic

shaanmajid added 2 commits May 22, 2026 16:43
@shaanmajid
ci(publish): adopt npm staged publishing on v0.x
e136983 
Switch the v0.x publish workflow to `npm stage publish` so a maintainer
must approve each release from npm's stage queue (2FA proof-of-presence)
before it becomes installable, even for non-interactive OIDC CI publishes.
Mirrors the staged-publishing model upstream adopted on v1.x (axios#10926).

Pin npm to 11.15.0 explicitly: Node 24/26 currently bundle npm 11.13.0,
below the 11.15.0 minimum that `npm stage publish` requires.
@shaanmajid
docs(ci): note npm pin is temporary until node bundles npm 11.15.0
e966fc9
@shaanmajid shaanmajid requested a review from jasonsaayman as a code owner May 23, 2026 03:25
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 23, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

@shaanmajid shaanmajid mentioned this pull request May 23, 2026
Merged
3 tasks
@jasonsaayman jasonsaayman self-assigned this May 24, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::ci The PR is related to CI labels May 24, 2026
@jasonsaayman jasonsaayman merged commit 31b7bdf into axios:v0.x May 24, 2026
12 checks passed
@shaanmajid shaanmajid deleted the feat/staged-publish-v0x branch May 24, 2026 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jasonsaayman jasonsaayman Awaiting requested review from jasonsaayman jasonsaayman is a code owner

Assignees

@shaanmajid shaanmajid

Labels

commit::ci The PR is related to CI priority::medium A medium priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shaanmajid @jasonsaayman